[SCM] Samba Shared Repository - branch v4-0-test updated - release-4-0-0alpha2-1119-g124d2ee

Andrew Bartlett abartlet at samba.org
Thu Feb 28 23:57:32 GMT 2008 

The branch, v4-0-test has been updated
       via  124d2ee788f1ac4b201a2843b58be21de358deb0 (commit)
       via  faf324cac613f9b74e1de46fe490f4973dab995c (commit)
       via  f002a98c7ae0fc93cc738fde1ee62534f8e576ac (commit)
       via  04db9b184491415b3479fd79e1c07ba738818eb9 (commit)
       via  cda4642a937d249399e25eaa6e5e20a0d440bcbf (commit)
      from  80ce9a3bbc43535d7c4bdd0ec402272175732ebc (commit)

http://gitweb.samba.org/?samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 124d2ee788f1ac4b201a2843b58be21de358deb0
Merge: faf324cac613f9b74e1de46fe490f4973dab995c 80ce9a3bbc43535d7c4bdd0ec402272175732ebc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 29 10:56:56 2008 +1100

    Merge branch 'v4-0-test' of git://git.samba.org/samba into 4-0-local

commit faf324cac613f9b74e1de46fe490f4973dab995c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 29 10:56:04 2008 +1100

    Prove that not supporting ldapi is a bit problem.
    
    For a while now, ldapi support has been busted, but it was only tested
    when we were running against an external LDAP server.
    
    Andrew Bartlett

commit f002a98c7ae0fc93cc738fde1ee62534f8e576ac
Merge: 04db9b184491415b3479fd79e1c07ba738818eb9 ee170c85e0e76411bd752de5fe51db6940dab929
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 29 10:09:35 2008 +1100

    Merge branch 'v4-0-test' of git://git.samba.org/samba into 4-0-local

commit 04db9b184491415b3479fd79e1c07ba738818eb9
Merge: cda4642a937d249399e25eaa6e5e20a0d440bcbf 16f36ce499e93860dd535034a584ec2b93e7a172
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 29 08:48:57 2008 +1100

    Merge branch 'v4-0-test' of git://git.samba.org/samba into 4-0-local

commit cda4642a937d249399e25eaa6e5e20a0d440bcbf
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 29 08:47:42 2008 +1100

    Simplify the 'password must change' logic
    
    This takes the previous patches further, so we catch all the cases
    (the KDC looked at the time directly).
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source/auth/sam.c               |   11 ++++++-----
 source/dsdb/common/util.c       |   39 +++++++++++++++++----------------------
 source/selftest/samba4_tests.sh |    1 +
 3 files changed, 24 insertions(+), 27 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/auth/sam.c b/source/auth/sam.c
index abcb72f..9a8045f 100644
--- a/source/auth/sam.c
+++ b/source/auth/sam.c
@@ -149,7 +149,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	const char *workstation_list;
 	NTTIME acct_expiry;
 	NTTIME must_change_time;
-	NTTIME last_set_time;
 
 	struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL));
 
@@ -159,9 +158,11 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
 	
 	acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
+
+	/* Check for when we must change this password, taking the
+	 * userAccountControl flags into account */
 	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
 							      domain_dn, msg);
-	last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
 
 	workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
 
@@ -187,14 +188,14 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	}
 
 	/* check for immediate expiry "must change at next logon" */
-	if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) {
+	if (must_change_time == 0) {
 		DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", 
 			 name_for_logs));
 		return NT_STATUS_PASSWORD_MUST_CHANGE;
 	}
 
-	/* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */
-	if (acct_flags & ACB_PW_EXPIRED) {
+	/* check for expired password */
+	if (must_change_time < now) {
 		DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", 
 			 name_for_logs));
 		DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", 
diff --git a/source/dsdb/common/util.c b/source/dsdb/common/util.c
index c9c0285..ba8841c 100644
--- a/source/dsdb/common/util.c
+++ b/source/dsdb/common/util.c
@@ -469,8 +469,8 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
 }
 
 /*
-  construct the force_password_change field from the PwdLastSet attribute and the 
-  domain password settings
+  construct the force_password_change field from the PwdLastSet
+  attribute, the userAccountControl and the domain password settings
 */
 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, 
 					  TALLOC_CTX *mem_ctx, 
@@ -478,10 +478,12 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
 					  struct ldb_message *msg)
 {
 	uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
-	uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0);
+	uint32_t userAccountcontrol = samdb_result_uint64(msg, "userAccountControl", 0);
 	int64_t maxPwdAge;
 
-	if (user_flags & UF_DONT_EXPIRE_PASSWD) {
+	/* Machine accounts don't expire, and there is a flag for 'no expiry' */
+	if (!(userAccountControl & UF_NORMAL_ACCOUNT)
+	    || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
 		return 0x7FFFFFFFFFFFFFFFULL;
 	}
 
@@ -607,24 +609,17 @@ uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ct
 {
 	uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
 	uint32_t acct_flags = samdb_uf2acb(userAccountControl); 
-	if ((userAccountControl & UF_NORMAL_ACCOUNT) && !(userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
-		NTTIME must_change_time;
-		NTTIME pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
-		if (pwdLastSet == 0) {
-			acct_flags |= ACB_PW_EXPIRED;
-		} else {
-			NTTIME now;
-			
-			must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-									      domain_dn, msg);
-			
-			/* Test account expire time */
-			unix_to_nt_time(&now, time(NULL));
-			/* check for expired password */
-			if ((must_change_time != 0) && (must_change_time < now)) {
-				acct_flags |= ACB_PW_EXPIRED;
-			}
-		}
+	NTTIME must_change_time;
+	NTTIME now;
+	
+	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
+							      domain_dn, msg);
+	
+	/* Test account expire time */
+	unix_to_nt_time(&now, time(NULL));
+	/* check for expired password */
+	if (must_change_time < now) {
+		acct_flags |= ACB_PW_EXPIRED;
 	}
 	return acct_flags;
 }
diff --git a/source/selftest/samba4_tests.sh b/source/selftest/samba4_tests.sh
index 32386e5..bea4173 100755
--- a/source/selftest/samba4_tests.sh
+++ b/source/selftest/samba4_tests.sh
@@ -81,6 +81,7 @@ if grep ENABLE_GNUTLS.1 include/config.h > /dev/null; then
 	plantest "ldb.ldaps with options $options" dc $samba4srcdir/../testprogs/blackbox/test_ldb.sh ldaps \$SERVER_IP $options
     done
 fi
+plantest "ldb.ldapi with options $options" dc $samba4srcdir/../testprogs/blackbox/test_ldb.sh ldapi \$PREFIX_ABS/dc/private/ldapi $options
 for t in LDAP-CLDAP LDAP-BASIC LDAP-SCHEMA LDAP-UPTODATEVECTOR
 do
 	plansmbtorturetest "$t" dc "-U\$USERNAME%\$PASSWORD" //\$SERVER_IP/_none_


-- 
Samba Shared Repository

More information about the samba-cvs mailing list